Re: Why do matchpathcon and restorecon ignore the user context by default?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/31/2013 12:55 PM, Bram Mertens wrote:
> Hi,
> 
> I have just lost several hours trying to figure out why I was unable to
> deploy a file from a configuration channel in our satellite server to a
> RHEL6 box while it deployed perfectly to a RHEL5 box.
> 
> I finally tracked it down to the fact that the user context was set to 
> unconfined_u while the rest of the context was set correctly.
> 
> On RHEL5 rhncfg-client get worked flawlessly and deployed the file with a
> *different* user context (system_u) without complaining. On RHEL6
> chncfg-client crashed complaining about the SElinux context - which
> differed only in the user context.
> 
> Here's what I found (I also posted this as a follow up on the rhn-satellite
> mailing list):
> 
> I see some very strange behaviour of SELinux on this RHEL6 box.
> 
> on RHEL5 the following works as expected:
> 
> The default SELinux security context for /etc/sssd/sssd.conf is: 
> [mertensb@testadintegration01 ~]$ sudo  /usr/sbin/matchpathcon 
> /etc/sssd/sssd.conf /etc/sssd/sssd.conf     system_u:object_r:etc_t
> 
> Which is also what is currently applied: [mertensb@testadintegration01 ~]$
> sudo ls -lZ /etc/sssd/sssd.conf -rw-------  root root
> system_u:object_r:etc_t          /etc/sssd/sssd.conf
> 
> So matchpathcon is able to verify the context. 
> [mertensb@testadintegration01 ~]$ sudo  /usr/sbin/matchpathcon -V 
> /etc/sssd/sssd.conf /etc/sssd/sssd.conf verified.
> 
> Testing a randomn other file to verify that matchpathcon works: 
> [mertensb@testadintegration01 ~]$ touch /tmp/proftpd 
> [mertensb@testadintegration01 ~]$ sudo ls -lZ /tmp/proftpd -rw-rw-r--
> mertensb mertensb user_u:object_r:tmp_t            /tmp/proftpd 
> [mertensb@testadintegration01 ~]$ sudo mv /tmp/proftpd
> /etc/cron.monthly/proftpd [mertensb@testadintegration01 ~]$ sudo ls -lZ
> /etc/cron.monthly/proftpd -rw-rw-r--  mertensb mertensb
> user_u:object_r:tmp_t /etc/cron.monthly/proftpd 
> [mertensb@testadintegration01 ~]$ sudo /usr/sbin/matchpathcon 
> /etc/cron.monthly/proftpd /etc/cron.monthly/proftpd
> system_u:object_r:ftpd_exec_t [mertensb@testadintegration01 ~]$ sudo
> /usr/sbin/matchpathcon -V /etc/cron.monthly/proftpd 
> /etc/cron.monthly/proftpd has context user_u:object_r:tmp_t, should be 
> system_u:object_r:ftpd_exec_t
> 
> But on the RHEL6 machine I get: [mertensb@defrltot002 ~]$ sudo ls -lZ
> /etc/sssd/sssd.conf -rw-------. root root unconfined_u:object_r:etc_t:s0
> /etc/sssd/sssd.conf [mertensb@defrltot002 ~]$ sudo  /usr/sbin/matchpathcon
> /etc/sssd/sssd.conf /etc/sssd/sssd.conf     system_u:object_r:etc_t:s0 
> [mertensb@defrltot002 ~]$ sudo  /usr/sbin/matchpathcon -V
> /etc/sssd/sssd.conf /etc/sssd/sssd.conf verified.
> 
> Repeating my test of matchpathcon: [mertensb@defrltot002 ~]$ touch
> /tmp/proftpd [mertensb@defrltot002 ~]$ sudo mv /tmp/proftpd
> /etc/cron.monthly/proftpd [mertensb@defrltot002 ~]$ sudo ls -lZ
> /etc/cron.monthly/proftpd -rw-r--r--. mertensb ISOP
> unconfined_u:object_r:user_ tmp_t:s0 /etc/cron.monthly/proftpd 
> [mertensb@defrltot002 ~]$ sudo /usr/sbin/matchpathcon
> /etc/cron.monthly/proftpd /etc/cron.monthly/proftpd
> system_u:object_r:ftpd_exec_t:s0 [mertensb@defrltot002 ~]$ sudo
> /usr/sbin/matchpathcon -V /etc/cron.monthly/proftpd 
> /etc/cron.monthly/proftpd has context unconfined_u:object_r:user_tmp_t:s0,
> should be system_u:object_r:ftpd_exec_t:s0
> 
> Both have the same sssd SELinux policy loaded: RHEL5: 
> [mertensb@testadintegration01 ~]$ sudo /usr/sbin/semodule -l|grep sssd sssd
> 1.0.2 RHEL6: [mertensb@defrltot002 ~]$ sudo /usr/sbin/semodule -l|grep
> sssd sssd    1.0.2
> 
> Digging further I found out that if only the user context is different 
> matchpathcon returns OK. See
> http://manpages.ubuntu.com/manpages/karmic/man3/matchpathcon.3.html
> 
> I also found a post on this list indicating that restorecon has a forece
> option to make it set the user context which it doesn't do by default:
> http://fedora.12.x6.nabble.com/restorecon-isn-t-restoring-what-matchpathcon-shows-td2645478.html
>
>  So why isn't the user context set/reset by default? After all it clearly
> leaves the system in a broken state.
> 
> And why doesn't matchpathcon have a similar force option to make it check
> the entire context?
> 
> Thanks in advance.
> 
> Bram Mertens -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

Well the user component is ignored on almost every SELinux System and all that
are shipped with policy from Red Hat.

The first couple of paragraphs of

http://danwalsh.livejournal.com/63586.html

explain this.

restorecon main goal is to fix the "type" portion of the SELinux label and not
to touch the User component or the MLS field unless you specify -F.






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlH5RVsACgkQrlYvE4MpobPujACgyNguC2utjf+9Mkd7RYBaifTW
eEwAoN7+WmSqrGGvFf4GZYK4uVJlEoHC
=/c3M
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux